Unlike the large majority of banking Trojan, the Zeus Trojan has always been a commercial code, sold by its creator to those who could afford an advanced fraud tool and understood how to use it. With time, Zeus became the most infamous and most propagated Trojan in cybercrime history. In October 2010, nearly one year ago, the bequeathing of the Zeus Trojan’s source code by its owner “Slavik”, to his then biggest rival, the SpyEye Trojan’s coder (“Harderman”), united the future of 2 giant commercial codes and threw a Zeus-faced wildcard into the game when its entire source code was leaked in March 2011.
But it was nearly two months before the announcement of the code ‘merger’ was even made that RSA researchers were already looking at a rather special upgrade of the Zeus Trojan: Zeus v2.1. A surprising and rare new version which included some of the most sophisticated additions to the Zeus code seen in recent times, making it more impervious and hardened thus shutting-out a lot of potential interference with this variant’s configuration and its communication patterns. At the time (early September 2010), our team was in the possession of a single variant of this upgrade and was not entirely sure what it represented as yet. The interesting part of the upgrade was its low propagation numbers and the time lapse it took for the Lab to see more of it in the wild. True Zeus 220.127.116.11 variants were not being sold in underground forums. These two initial observations already suggested that the new upgrade was the property of one cybercriminal or a single cybercrime gang.
Within six months, Zeus 18.104.22.168 was being detected more and more often, and although the number of variants kept growing, the trigger list in each and every one of them was identical – a rare case for Zeus variants in which each operator updates his own list of triggers. This was the third sign pointing to a single operations team for Zeus 22.214.171.124.
June 2011 – a sharp peak in Zeus 126.96.36.199 attacks resulted from the propagation of hundreds of variants of this upgraded version. To date, the RSA Research Lab detected 414 different variants, and yet, each and every variant still went after the exact same trigger list. At this point it was clear that Zeus 188.8.131.52 belongs to one gang who had the Zeus source code way before the merger, way prior to the code leak and before anyone even imagined what would become of Zeus.
This gang developed their own Zeus Trojan using Zeus’ source codes and its mainframe; this gang operates Zeus 184.108.40.206 without sharing their malevolent creation with outsiders.
More than the actual upgrade of the Trojan code, the new Zeus 220.127.116.11 behaved in a new way, unlike the one observed in other Zeus variants. Unlike other advance Trojans who contact the mothership through reverse proxies, fast flux networks, or those who use their own botnet as proxies – Zeus 18.104.22.168 never communicates directly with the mothership. This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 22.214.171.124’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names (URLs) per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.
The cybercriminal operation team behind the scenes has the same algorithm. They know exactly when the whole botnet will attempt to communicate with a specific new domain name, and then simply go and buy that domain name, hosting each one through facilities located all over the world. At that point, the whole botnet queries the new domain with a request for the update file – and receives it, and the C&C queries its bots for the stolen data they have in store – and receives it. Mission accomplished.
This all happens without anyone outside the gang knowing their algorithm or being able to guess which communication channel they will choose for their botnet next. Even if an external party was to attempt to solve the algorithm, they would have to buy the domains before the gang does, thus engaging in a race against time and paying for numerous domain registrations every hour (!). No matter how many domains an adversary buys, the bot masters will eventually buy one and the botnet will end up communicating with it.
The communication through randomized domains generated by the Trojan is directed through a list of legitimate VPS and legitimate cloud services used as a proxy. This raptures any further tracking possibilities of the true motherships which militate the immense botnet.
Zeus 126.96.36.199’s behavior pattern has never been used in Zeus or SpyEye variants, but it sure is identical to another Trojan’s sophisticated and diuturnal operations – Sinowal. A long standing, privately owned Trojan, operated by an organized cybercrime gang based out of Russia, Sinowal is perhaps one of the most persevering private banking Trojans; one whose nefarious nature has been the intrigue of many security researchers since as early as 2006.
It was initially somewhat surprising to see that Zeus 188.8.131.52 was not only a private version of Zeus, it also behaves exactly in the same manner as Sinowal similarly held by Russian-speaking cybercriminals. These common denominators raised a logical suspicion as to the possibility of the two sharing some links if not operated by the same gang altogether.
LINK TO OUR HOME PAGE :